Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - iorx

Pages: [1] 2

24.7 Production Series / Loosing WAN every 15 minutes [SOLVED, ntopng Network Discovery...]

« on: August 11, 2024, 10:06:05 am »

Hi!

Need some help to get on the right track here I think.

Loosing WAN connection every 15 minutes as the title says.

Was in contact with the ISP and they hade some theory that matches up with the times of events. :00,:15,:30,:45.
The WAN-connection is a static IP-address and they use ARP to assign it according to them, that every 15 minutes.

They also talked about a setting, ignoring not matching ARP(?!) This is where I have a hard time understanding what's happening.

Don't know if it's worth anything but attached a Copy/Paste of wiresharks packet list filtered on ARP and DHCP.
(_ws.col.protocol == "DHCP" || _ws.col.protocol == "ARP" || _ws.col.protocol == "BOOTP")

Everything is updated to latest available as of now.
Running opnsense as vm in Hyper-V.

23.7 Legacy Series / Wireguard delay at startup, need assistans to ping this down

« on: November 26, 2023, 02:12:26 pm »

Hi,

It's working after the delay.
Got, maybe, a bit "over the edge" config here.

Code: [Select]

Interface		Identifier
[LAN_hn0]		lan 	
[VLAN10IOT_hn3] 	opt2 	
[VLAN50GUEST_hn2] 	opt1 	
[WAN_hn1]		wan

Wireguard site-to-site

Adguard at port 53 and unbound moved to 5353.

From the boot log:

Code: [Select]

2023-11-26T13:05:00	 	 	ntpd_configure_do[290] Starting NTP service...	
2023-11-26T13:05:00	 	 	miniupnpd_configure_do[290] done.	
2023-11-26T13:05:00	 	 	miniupnpd_configure_do[290] Starting UPnP service...	
2023-11-26T13:05:00	 	 	wireguard_configure_do[290] done.	
2023-11-26T13:03:22	 	 	wireguard_configure_do[290] Configuring WireGuard VPN...	
2023-11-26T13:03:22	 	 	openvpn_configure_do[290] done.

Log files attached.

And plugins:

Code: [Select]

os-adguardhome-maxit (installed)	1.10	26.8MiB	N/A	mimugmail	AdGuardHome	
os-ddclient (installed)	1.17	108KiB	3	OPNsense	Dynamic DNS client	
os-lldpd (installed)	1.1_2	16.5KiB	3	OPNsense	LLDP allows you to know exactly on which port is a server	
os-net-snmp (installed)	1.5_2	27.3KiB	3	OPNsense	Net-SNMP is a daemon for the SNMP protocol	
os-ntopng (installed)	1.2_2	20.5KiB	3	OPNsense	Traffic Analysis and Flow Collection	
os-redis (installed)	1.1_2	68.4KiB	3	OPNsense	Redis DB	
os-upnp (installed)	1.5_4	34.0KiB	3	OPNsense	Universal Plug and Play Service	
os-wireguard (installed)	2.5_1	84.4KiB	3	OPNsense	WireGuard VPN service kernel implementation

So, any good idea how to fix the almost 2 min delay at startup?

I suspect that maybe startup order can be a thing here. Possible to rearrange so adguard starts before wireguard? Just a thought.

Brgs,

23.7 Legacy Series / Unencrypted cloud backups?

« on: November 23, 2023, 03:27:20 pm »

Hi,

Couldn't find the answer for this. Is it possible with Google Drive Cloud backup to store them without a password?

https://docs.opnsense.org/manual/how-tos/cloud_backup.html
System/Configurtion/Backup/Google Drive: "Password | choose a strong password to encrypt the backup"

Leaving the password field empty resulted in a zero size xml. By design?

Brgs,

Virtual private networks / WireGuard preventing startup when WAN (dhcp) not available?

« on: August 11, 2023, 05:45:37 pm »

Hi!

Had a strange behaviour when restarting OPNsense when WAN was down (ISP had trouble, got no address for WAN). It took more time than I expected to access (no response from ssh or web UI) so I physically checked with a display attached to the firewall.
The startup was at initiating the wireguard tunnel and exponentially increased the time 1,2,4, 8 sec for each try. I hit ctrl+c on it and it continued and was then able to access it trough ssh and https.

Sadly don't have logs for this event. Could be rather easily reproduced though.

But to the question is this by design or should it continue? If so, how long will it prevent the firewall from finish booting?

Latest version of OPNsense,
OPNsense 23.7.1_3-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023

Brgs

23.7 Legacy Series / DHCPv4: Leases, extremly slow loading content

« on: August 07, 2023, 06:23:19 am »

Hi,

Got a spanking new install of 23.7 and have semi-migrated from another 23.7 install. Only restored DHCP and Firewall/alias nothing more from the old install, the rest was reconfigured from defaults.

Now experience that it takes up to 30 seconds to get 7 rows in DHCPv4: Leases list.
That it was already slow on the previous hardware was acceptable as it was an AMD APU-box.
The new install is a Hyper-V guest and has lots of resources.

DHCP config.
Is active on two interfaces, LAN and GUEST, and the total number of clients in the list is around 40.

So anything I can provide here to nail down why DHCPv4: Leases has become so slow?

Brgs and KUDOS to all involved!

Intrusion Detection and Prevention / Update specific URL IP alias more often?

« on: March 06, 2023, 08:30:35 am »

Hi,

Is it possible to update a specific alias more often than an hour? Need to update one of the lists from external source around every 10 minutes.

The cron job for updating alias I suspect update them all or does it take parameters such as to specify an alias to update?

Brgs,

23.1 Legacy Series / SNMP detection LibreNMS and missing firewall graphs compared to pfSense

« on: February 12, 2023, 01:22:09 pm »

Hi and KUDOS to all awesome forum members!

Maybe this should go into the Libre community forum, but I give it a shoot here first.

LibreNMS have hade some trouble identifying OPNsense as a firewall since a couple of version back. The SNMP response makes it identify it as FreeBSD and not OPNsense.
This can be fixed by adding "sysDescr OPNsense Firewall" to snmpd.conf though.
Doing the above sysDescr LibreNMS nicely show as an OPNsense icon/device.

Now for the real question.
What I noticed is that pfSense looks a bit different inventoried and what I'm missing here is the /Device/Graphs/Firewall, which shows up for a pfSense device, with lots of use full information.

The first part what OPNsense answers in SNMP, could this be fixed so a default install is identified as OPNsense? A modification of net-snmpd package or a fix in OPNsense?

Second part. The /Device/Graphs/Firewall missing, is this a LibreNMS or a OPNsense task to fix? I suspect it's within the device specification/polling template in LibreNMS, my amateur guess.

Brgs,

22.7 Legacy Series / phyton3 100% CPU OPNsense 22.7.11-amd64 [SOLVED]

« on: January 21, 2023, 03:07:16 pm »

Hi,

Updatead my system. Just mine that went to 100% CPU on phyton3.0?

Versions    OPNsense 22.7.11-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

Hardware information
Platform
Manufacturer    PC Engines
Product Name    apu3
Version    1.0
BIOS
Vendor    coreboot
Version    v4.17.0.2
Release Date    07/28/2022

Code: [Select]

last pid: 52507;  load averages:  2.00,  1.59,  0.85                                                                      up 0+00:07:13  15:01:44
47 processes:  2 running, 45 sleeping
CPU: 24.8% user,  0.0% nice,  0.3% system,  0.7% interrupt, 74.2% idle
Mem: 207M Active, 189M Inact, 776M Wired, 40K Buf, 2733M Free
ARC: 312M Total, 163M MFU, 121M MRU, 5516K Anon, 2097K Header, 21M Other
     248M Compressed, 609M Uncompressed, 2.45:1 Ratio
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
73471 root          1 103    0    37M    24M CPU3     3   5:45  99.55% python3.9
 9049 root          1  20    0    14M  3816K CPU1     1   0:00   0.37% top
55338 root          1  20    0    34M    14M select   0   0:01   0.19% snmpd
 3053 root          1  20    0    18M  7600K select   2   0:00   0.10% sshd

Before and after pic attached.

22.7 Legacy Series / No clean shutdown for OPNsense as guest in Hyper-V Server 2022

« on: January 15, 2023, 06:21:12 pm »

Hi,

This one is really taking a toll on me. OPNsense has been no trouble before (other installs, not sure if they are on the latest version of OPNsense though...), has cleanly shutdown/rebooted before when host is rebooted. Now I can't figure out why it goes down like a ton of bricks.

I've got a squeaky clean (just renstalled for the second time) Windows Server 2022 Standard with the Hyper-V role.
Got two Linux guests (DietPi and Home Asstant) and two Windows guest (Server 2022 and Windows 10).
Everything is updated as it should and on the latest.

OPNsense installed from the latest iso (DVD) and updated.

The setting are the same for the guest.
In the event of a host reboot the guests have the setting to do a Save State and resume from there when host is back up.
The Windows and Linux guest do as expected. But, as mentioned, OPNsense is "plug pulled" on.

Integrated Services:

Code: [Select]

VMName Name                    Enabled PrimaryStatusDescription
------ ----                    ------- ------------------------
fwa    Guest Service Interface False   OK
fwa    Heartbeat               True    OK
fwa    Key-Value Pair Exchange True    OK
fwa    Shutdown                True    OK
fwa    Time Synchronization    True    OK
fwa    VSS                     True    OK

Network config (don't know if it matters). WAN is 0.0.0.0 because it was not connected to WAN while testing.

Code: [Select]

Name          IsManagementOs VMName SwitchName MacAddress   Status IPAddresses
----          -------------- ------ ---------- ----------   ------ -----------
nicLAN        False          fwa    sw01       00155D201400 {Ok}   {192.168.32.3}
nicWAN-VLAN20 False          fwa    sw01       000DB9562155 {Ok}   {0.0.0.0}
nicGST-VLAN50 False          fwa    sw01       00155D201401 {Ok}   {192.168.99.2}

I've made clean installs of OPNsense both in gen 1 and gen 2 guests. Same behaviour.

I've attached output of "dmesg -a" from a normal reboot and from the host reboot.
(please tell if I should clean out any "private" information in these, I couldn't identify any from a glance at them)

So maybe someone here has clue what's up here?

From the "hyper-v reboot.txt"

Code: [Select]

cd0: Attempt to query device size failed: NOT READY, Medium not present
WARNING: /mnt was not properly dismounted
WARNING: /mnt: mount pending error: blocks 24 files 0
Mounting filesystems...
tunefs: / is not clean - run fsck.

camcontrol: ATA ATA_IDENTIFY via pass_16 failed
camcontrol: ATA ATAPI_IDENTIFY via pass_16 failed
** /dev/gpt/rootfs
** SU+J Recovering /dev/gpt/rootfs

USE JOURNAL? yes

** Reading 33554432 byte journal from inode 4.

RECOVER? yes

** Building recovery table.
** Resolving unreferenced inode list.
** Processing journal entries.

WRITE CHANGES? yes


***** FILE SYSTEM IS CLEAN *****
** 8 journal records in 2048 bytes for 12.50% utilization
** Freed 1 inodes (0 dirs) 0 blocks, and 2 frags.

***** FILE SYSTEM MARKED CLEAN *****

And some start parameters from Hyper-V

Code: [Select]

Name    AutomaticStopAction AutomaticStartDelay
----    ------------------- -------------------
dpa                    Save                  25
fwa                    Save                   0
haa                    Save                  20
srv2022                Save                  15
w10                    Save                  20

22.7 Legacy Series / WireGuard kernel module when going to 22.7?

« on: August 06, 2022, 12:25:15 pm »

Hi,

Got this AWESOME piece of firewall (22.1.10_4-amd64) huffing along in a pc-engine (AMD GX-412TC SOC (4 cores, 4 threads), firmware v4.15.0.3), all great and configured with all sort of things. VLAN, Unifi-controller, OpenVPN, WireGuard...
I've got a tunnel, WireGuard, and on the pc engine I've installed the wireguard-kmod to get some more "umf" out of it.

This could have been a simple question but I like to get in here how much I adore OPNsense

So, anything I should consider going forward with upgrading to 22.7 with wireguard-kmod installed?
Side quest, not as important as the VPN. Anyone know if Unifi-controller mod survives the upgrade too?

Brgs,

22.1 Legacy Series / Dump in logs and loss of connection

« on: June 02, 2022, 04:36:51 pm »

Hi,

Loss of internet connection. Everything fine after a restart. Didn't have the time to troubleshoot while it was happening. But OPNsense was fully accessible on it's LAN-adress and a controlled reboot was performed.

Can/should I provide more info?

OPNsense 22.1.8_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022

2022-02-12T10:10:41       syslogd   exiting on signal 15
2022-02-12T10:10:41       shutdown[15206]   reboot by root:
2022-02-12T10:10:41       shutdown[15206]   reboot by root:
2022-02-12T10:10:39       monit[67732]   'fw01.intdomain.local' Monit 5.29.0 stopped
2022-02-12T10:10:39       monit[67732]   Monit daemon with pid [67732] stopped
2022-02-12T10:10:28       kernel   hn0: promiscuous mode disabled
2022-02-12T10:09:34       kernel   -> pid: 35692 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
2022-02-12T10:09:34       kernel   [HBSD SEGVGUARD] [syslog-ng (35692)] Preventing execution due to repeated segfaults.
2022-02-12T10:09:34       kernel   -> pid: 12444 ppid: 35692 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
2022-02-12T10:09:34       kernel   [HBSD SEGVGUARD] [syslog-ng (12444)] Suspending execution for 600 seconds after 5 crashes.
2022-02-12T10:09:34       kernel   pid 12444 (syslog-ng), jid 0, uid 0: exited on signal 6 (core dumped)
2022-02-12T10:09:34       supervise/syslog-ng[35692]   Error forking child process; error='Operation not permitted'
2022-02-12T10:09:33       syslog-ng[49326]   syslog-ng starting up; version='3.35.1'
2022-02-12T10:09:32       kernel   pid 90215 (syslog-ng), jid 0, uid 0: exited on signal 6 (core dumped)
2022-02-12T10:09:32       kernel   pid 877 (syslog-ng), jid 0, uid 0: exited on signal 6 (core dumped)
2022-02-12T10:09:31       kernel   pid 87704 (syslog-ng), jid 0, uid 0: exited on signal 6 (core dumped)
2022-02-12T10:09:29       kernel   pid 48869 (syslog-ng), jid 0, uid 0: exited on signal 6 (core dumped)
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum done
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum interface_086400.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum interface_003600.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum interface_000300.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum interface_000030.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum dst_port_086400.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum dst_port_003600.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum dst_port_000300.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum src_addr_086400.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum src_addr_003600.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum src_addr_000300.sqlite
2022-02-12T09:54:32       /flowd_aggregate.py[52170]   vacuum src_addr_details_086400.sqlite
2022-02-12T01:53:31       /flowd_aggregate.py[52170]   vacuum done

General Discussion / Unbound restarts if "Register DHCP leases" is checked?

« on: March 25, 2022, 08:11:21 pm »

Hi!

Does Unbound restarts if "Register DHCP leases" is checked and when a new lease is registered in DHCP?

I'm in the transition from pfsense to OPNsense and this seems to be a hot potato, but rather old.., and is not solved over there. Got a link to where it was discussed, and to me (rather novice on this) it looks like a solution is given but not picked up.

General Discussion / "shutdown now" from shell and it ask for /bin/sh on the console

« on: March 15, 2022, 09:19:33 pm »

Hi all!

Corrupt install or something with last version? (I've toyed around a bit with this install...)

See attached pic.

General Discussion / Virtulized OPNsense, VHDX, ZFS, reclaim space

« on: March 15, 2022, 05:24:22 pm »

Hi,

Very little experience on zfs, just toyed around with it in a FreeNAS solution for many years ago. In my ongoing project to teach myself OPNsense I've installed a OPNsense with ZFS as i guest in Hyper-V (Server 2022).
Everything works great and fast firewall wise. I just noticed though that the VHDX on the host is ballooning in size. Now at around 75GB.

So, I reach out here for some BSD and ZFS knowledge. I've googled around on the subject but nothing seams to work. zfs; turn of dedup and compression. Filling the disk with 0 (dd), sync, removing file, sync.
I can't even see that the storage free changes. So, not knowing what's I'm doing here is a good summary.

Here is some info I think is relevant:

Code: [Select]

root@fwo:/ # du -shc /*
4.5K    /COPYRIGHT
875K    /bin
174M    /boot
6.8M    /conf
3.0K    /dev
4.5K    /entropy
2.1M    /etc
512B    /home
8.6M    /lib
113K    /libexec
512B    /media
512B    /mnt
512B    /net
512B    /proc
512B    /rescue
 41K    /root
3.4M    /sbin
512B    /sys
 93K    /tmp
797M    /usr
 88M    /var
512B    /zroot
1.1G    total
root@fwo:/ # df -h
Filesystem            Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default    114G    1.0G    113G     1%    /
devfs                 1.0K    1.0K      0B   100%    /dev
/dev/da0p1            260M    1.8M    258M     1%    /boot/efi
zroot/var/mail        113G    120K    113G     0%    /var/mail
zroot/var/tmp         113G     96K    113G     0%    /var/tmp
zroot/var/log         113G     42M    113G     0%    /var/log
zroot/tmp             113G    196K    113G     0%    /tmp
zroot/var/audit       113G     96K    113G     0%    /var/audit
zroot/usr/src         113G     96K    113G     0%    /usr/src
zroot                 113G     96K    113G     0%    /zroot
zroot/var/crash       113G     96K    113G     0%    /var/crash
zroot/usr/home        113G     96K    113G     0%    /usr/home
zroot/usr/ports       113G     96K    113G     0%    /usr/ports
devfs                 1.0K    1.0K      0B   100%    /var/dhcpd/dev
devfs                 1.0K    1.0K      0B   100%    /var/unbound/dev
devfs                 1.0K    1.0K      0B   100%    /var/captiveportal/zone0/dev

Nowhere I can see that OPNsense is using 75GB of storage. My inexperience with finding stuff in BSD maybe?

Any hint on what's going on here?

Brgs,

Virtual private networks / WireGuard between pfSense and OPNsense, pfSense don't add route as OPNsense do?

« on: March 06, 2022, 07:56:54 pm »

Hi,

Its-me-again! My journey into OPNsense makes progress. Fun stuff!

I banged my head a while on this one.
First try. Two OPNsense connected with WireGuard. This was a "walk in the park" when I figured out what goes where. Felt like Captain Slow before that...

Second attempt connecting a OPNsense and pfsense together. I read allot of the guides and tips on the subject.

At first I couldn't get traffic from pfSense to OPNsense. Found out that WireGuard on pfSense had not created routes required. To get pfSense-WireGuard to create routes it required allot more. Assign interface and create routes manually.
OpnSense has no such problem, routes where present without assigning an interface and creating routes manually.

So, I got this right? This is this "easy" on OPNsense and all that trouble on pfSense?
I understand the point of creating an interface, but in my case here I don't see that I need one.

Pages: [1] 2